[wp-hackers] Security considerations for the WP 2.7 plugin installer

Robert Wetzlmayr r.wetzlmayr at gmail.com
Wed Aug 13 05:04:14 GMT 2008

Dear all,

when rendering a result from a plugin search in the new plugin
installer, display_plugins_table() injects a link to an URL retrieved
from the plugins meta data (@see

As up to this point there's no established level of trust between the
consuming WP site and the plugin homepage URL, I wonder why this
injection is deemed appropriate with respect to potential privacy and
security implications.

>From my understanding, the WP plugin repository is at least at present
not thoroughly screened for potential malware or abusive content at
plugins' homepages, so this deliberate linking might impose all kinds
of threats. Please understand that I am particularly concerned with
the presentation of search results. Any other plugin listing employs
"trusted" plugins which are at least installed on the target site.

Payloaded WordPress plugins already are a common SEO tactic (@see
http://www.anty.info/2008/08/06/pingcrawl-injects-links/), and I
wonder how long it would take before one would social-engineer
unsuspecting WP 2.7 users as an easy prey for a plugin with
"behind-the-scenes" functionality.


Robert 'wet' Wetzlmayr


More information about the wp-hackers mailing list